SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

Cerber ransom payment doubles (Nov 23, 2016)


The Cerber Ransomware continues to spread and generate income for its operators. We have covered this Ransomware family in a previous SonicALERT back in August but it has since evolved and some details about its internal operations and presentation have changed. For example, a new information page is used and the ransom has now doubled in value from $500 to $1000 since August. This increase in price is a strong indicator of past success.

Infection Cycle:

The latest variant of this trojan uses the following icon:

The Trojan makes the following DNS requests:

The Trojan adds the following files to the filesystem:

  • %SYSTEMROOT%\README.hta (ransom information page)
  • %USERPROFILE%\Local Settings\Temp\README.hta (ransom information page)

It then encrypts various files on the filesystem and renames them to {10 random alphanumeric characters}.9d4b. It copies README.hta to every directory that contains the newly encrypted files.

It displays the following information on the desktop background:

The links lead to a website located on tOR network:

The Trojan reports its infection to a remote C&C/key server:

It checks the status of the supplied bitcoin address that requires funding to verify payment:

Upon inspecting the transaction activity of the bitcoin address we can see that it is still generating income at the time of writing this alert . It has generated the equivalent of almost $21,000 for its operators so far. This is not the only bitcoin address used. We have observed other bitcoin addresses being used to pay the required ransom:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Cerber.HM (Trojan)

Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2021 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 17.3 | S1MSW01